DATA SHARINGand

DATA SHARING AGREEMENTS

Teresa Mulford

MDCH, Office of Legal Affairs

● Definition/Purpose

o Agreement between parties that outlines how shared data will be used, disclosed, and protected, by agreeing to provisions that place general and specific limitations on the receiving party...

o HIPAA and other laws require Covered Entities to obtain satisfactory assurance that the data recipient will only use or disclose the information for limited purposes to ensure that shared data will not be misused.

Data Sharing Agreement

● Can the Data be shared and what type of agreement is needed?

● Steps o Can the data be shared?

o Identify:o The data elements requested

o De-identifiedo Limited Data Seto Identifiable Data

o The applicable confidentiality lawso The parties – Business Associate, Covered Entity, Researcher, Public

Health Agency, …

Overview of Today’s Discussion

● What type of written agreement is appropriate?

Business Associate Agreement (BAA)

Memorandum of Understanding (MOU)

Data Sharing Agreement (DSA)

You have determined that the data can legally be shared -

● When Required by Lawo HIPAAo IRBo Financialo Other

● For liability reasons

● For ethical reasons

WHEN / WHY IS A DSA NEEDED?

● Include language to ensure proper use, disclosure,…etc….

● Routine provisions – those required by law

● Special Provisions – unique to the data

WHAT PROVISIONS

● Follow up is required –

o After agreed time, at end of project, etc.

o Ensure shared data continues to be protected or has been returned or destroyed Follow up –

Monitoring

● Step One: Identify the data elements requested:

o De-Identified Data

o Limited Data Set

o Identifiable Data

Can the data be shared?Steps…

● Two methods of de-identification

o First: Safe Harbor – HIPAA list of identifiers – Note: All dates and most demographic information are included as identifiers. Ages, zip codes, or ‘dummy codes’ are permitted with limitations.

o Age: In most cases, year of birth may be retained, which can be combined with the age of the subject to provide sufficient information about age for most uses - however dates that might be directly related to the subject must be removed or aggregated to the level of year to prevent deduction of birth dates. Extreme ages – 90 and over – must be aggregated further to avoid identification of very old individuals. For young children or infants – age can be expressed in months, days, or hours – as long as the birth date can not be determined.

(Zip codes, ‘dummy codes’ – see following slides…)

De-identified Data

● Two methods of de-identification…continued

o First: Safe Harbor…continued

o Zip Code: Three digit zip codes can be used if the zip code area contains more than 20,000 people as determined by the Bureau of the Census. (In 2000, there were only 18 three-digit zip codes containing fewer than 20,000 people).

o ‘Dummy codes’: A re-identification code can be created and provided to the data recipient as long as the code was not derived from information related to the subject of the information. The HMAC (keyed hash message) mechanism can not be used to create a dummy code in a de-identified data set. The mechanism used to create the code can not be disclosed to the data recipient.

De-identified Data…cont.

● Two methods of de-identification…continued

o Second: Expert – a person with appropriate knowledge and experience is to apply generally accepted statistical and scientific methods to render information not individually identifiable.

De-identified Data…cont.

● All direct identifiers must be removed. Some demographic information, dates, and ‘dummy codes’, are permitted. Under HIPAA, a Limited Data Set can only be shared for the purpose of Research, Public Health, or Health Care Operations.

o Demographic information is allowed, such as zip codes, cities, and geographic areas, however, street addresses are direct identifiers that must be removed.

o All Dates are permitted – including birthdates, however, requests for birthdates should be reviewed for necessity.

o ‘Dummy codes’: A re-identification code can be created and provided to the data recipient as long as the code was not derived from information related to the subject of the information. The HMAC (keyed hash message) mechanism CAN be used to create a dummy code in a limited data set (but not in a de-identified data set). The mechanism used to create the code can not be disclosed to the data recipient.

Limited Data Set

● Data with identifiers may be shared if an exception exists under applicable law.

o HIPAA permits the sharing of identifiable data for specific purposes – in which case, a Data Sharing Agreement may be warranted.

Identifiable Data

● Step Two: Identify the applicable confidentiality laws…more than one may apply

o Medicaido Public Health Codeo Mental Health Codeo HIV/AIDS/STDo Substance Abuse o HIPAA o Research – Human Subjects (Common Rule)o Other

Can the data be shared?Steps…cont.

● When more than one confidentiality law is applicable and both/all cannot be complied with…

o The HIPAA Privacy regulation will preempt all other privacy or confidentiality laws, (state or otherwise) unless – the other law provides the individual with greater privacy rights or protections.

Can the data be shared?Steps…cont.

● Step Three: Identify the players – and the relationship between the data provider and the requester

o Business Associateo Covered Entity (under HIPAA)o Public Health Agencyo Researchero Government entityo Independento Other

Can the data be shared?Steps…cont.

● After analyzing the requested data elements, all applicable laws, and the players – and their relationship, you have decided that the information can be shared…

(descriptions that follow under each type of agreement can be used to sort out this

information.)

● What type of written agreement is appropriate?

Business Associate Agreement (BAA)

Memorandum of Understanding (MOU)

Data Sharing Agreement (DSA)

You have determined that the data can legally be shared -

● Business Associate Agreement (BAA)

o A business associate is an entity/contractor that the covered entity, MDCH, has contracted with to perform a HIPAA covered function on MDCH’s behalf that requires the sharing of protected health information (PHI).

o HIPAA requires covered entities, such as MDCH, to enter into a written Business Associate Agreement that requires the business associate to comply with the confidentiality provisions under HIPAA.

o Differentiate a business associate from other entities – a business associate is performing a function on MDCH’s behalf – which requires a BAA, and the other is performing a function on its own behalf.

What type of written agreement is appropriate?

● Memorandum of Understanding (MOU)

o A MOU is similar to a BAA, however, is generally used when sharing identifiable data between governmental entities to carry out responsibilities under state or federal law.

What type of written agreement is appropriate?

● Data Sharing Agreement (DSA)

o A DSA may be required in the following circumstances:

o If sharing de-identified information with any entity.

o If sharing a limited data set or identifiable data with a business associate where a new function has been added under the contract.

o If sharing a limited data set with a business associate that has requested the information for its own public health, research, or health care operations.

(continued…)

What type of written agreement is appropriate?

A DSA may be required in the following circumstances (continued):

o If only sharing a limited data set with a business associate

to perform functions on MDCH’s behalf – thereby eliminating the need for a BAA.

o If sharing a limited data set with a researcher. This eliminates the researcher’s need for an individual’s authorization. The researcher also might be able to bypass the Institutional Review Board review requirement for human subjects research. (Refer to Harry McGee.)

(continued…)

Data Sharing Agreement (DSA)(continued…)

A DSA may be required in the following circumstances (continued):

o If sharing a limited data set with another covered entity that has requested the information for its own public health, research, or health care operations. (Assists in the sharing of data with another covered entity where HIPAA limits the sharing of fully identifiable information – e.g. “to another covered entity for its health care operations”.)

o If sharing a limited data set with any other entity for public health or research purposes. (e.g., non MDCH cancer registry.)

o If sharing fully identifiable information to an entity for a permitted purpose under HIPAA or other applicable confidentiality law.

Data Sharing Agreement (DSA)(continued…)

● Include language to ensure proper use, disclosure,…etc….

● Routine provisions – those required by law

(HIPAA requirements handout and copy of MDCH template.)

● Special Provisions – unique to the data requested

WHAT PROVISIONS

● Follow up is required –

o After agreed time, at end of project, etc.

o Ensure shared data continues to be protected or has been returned or destroyed

After the DSA is signed, the data is

provided, … Monitoring and

● Please forward a copy of all completed MDCH Data Sharing Agreements to the Office of Legal Affairs (OLA) to be entered into MDCH DSA Database.

MDCH Log of Data Sharing Agreements

● Identify the requested data elements, the applicable laws, and the players,

● Determine the appropriate agreement that is needed and execute,

● Send copy of completed MDCH DSA to OLA to be logged,

● Monitor – and follow up at end of project, or agreed upon time, to ensure shared data continues to be protected or has been returned or destroyed.

In review:

● Forward any MDCH questions to the Office of Legal Affairs:

● (517) 241-0048● Email: mulfordt@michigan.gov

Questions?